Cybersecurity firm FireEye has confirmed that the personal laptop of one of its Mandiant breach-investigation employees, as well as his social media accounts, were hacked by a group of self-professed black hat hackers, calling themselves "31337."

"We are aware of reports that a Mandiant employee's social media accounts and personal laptop have been compromised," a spokeswoman for California-based FireEye tells Information Security Media Group. "We are investigating this situation, and have taken steps to limit further exposure."

For now, however, it says the breach appears to be contained to the employee's laptop. "While our investigation is ongoing, there is currently no evidence that FireEye or Mandiant corporate systems have been compromised," FireEye's spokeswoman says.

The breach first came to light Monday via an anonymous post to Pastebin labeled "Mandiant Leak: Op. #LeakTheAnalyst." The post contains links to a 32 MB file that attackers claim contains details relating to Adi Peretz, a senior threat intelligence analyst at FireEye's Mandiant consulting services unit, which provides incident response services that the company is now presumably applying to itself.

The attackers also claim that the dump contains network topology - potentially for FireEye's malware analysis lab - as well as detail of FireEye licenses, contracts, and an extensive collection of Peretz's personal and business emails.

Further Dumps Threatened

The 31337 hackers' name is a reference to leet - a shortening of "elite" - or what's also known as leetspeak, which is a form of symbolic writing born from 1980s bulletin board systems.

The group claims it had access to Peretz's system for more than a year. It says the data dump is a warning to Mandiant. "This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future," the group claims.

Excerpt from the 31337 group's Pastebin post.

The additional data, the attackers claim, includes details of "Mandiant internal networks and its clients data," as well as credentials for various accounts. The attackers also suggested that they had obtained data that relates to the Israeli prime minister's office, as well as Israel's Hapoalim Bank.

The 31337 hacking group says the data dump is the first in a series of what are meant to be retributory attacks against security analysts.

"For a long time we - the 31337 hackers - tried to avoid these fancy ass "analysts" [who are] trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say [expletive] the consequence let's track them on Facebook, Linked-in, Tweeter, etc. let's go after everything they've got, let's go after their countries, let's trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course."

FireEye Confirms Leaks

FireEye has confirmed that information relating to two unnamed customers has been leaked.

"Our top priority is ensuring that our customer data is secure," FireEye's spokeswoman says. "To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly," FireEye's spokeswoman says. "This in an ongoing investigation, and new or additional information may emerge as we continue looking into this matter."

FireEye says it will release further updates as its investigation continues.

Based on the data that's been dumped so far, Ido Naor, an Israel-based cybersecurity researcher who works for Moscow-based Kaspersky Lab, says that the "dump does not show any damage to core assets of Mandiant."

By accounts, a reputation hack only. So far limited to a single person's home box. Lack of additional suggests good backstopping by Mandiant https://t.co/u1byjjSpTb

Meanwhile, digital forensics researcher Brian Baskin, a senior threat researcher for Massachusetts-based Carbon Black, says that the attack so far only appears to be a "reputation hack" aimed at the Mandiant security analyst, and by extension Mandiant and FireEye.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.